Lucene search
+L

21 matches found

Cvelist
Cvelist
added 12 hours ago11 views

CVE-2026-11575 PhonePe Payment Solutions < 3.1.0 - Unauthenticated Payment Bypass via Forged Callback

The PhonePe Payment Solutions WordPress plugin before 3.1.0 does not properly verify the authenticity of incoming payment callbacks: the secret used to validate the callback signature is empty on sites configured through the current setup flow, so the expected signature reduces to an unkeyed hash...

Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/08 12:33 p.m.5 views

CVE-2026-5356

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 5.4.0. This is due to the plugin's Stripe Connect payment processor accepting a client-supplied PaymentIntent ID. This makes it...

7.5CVSS6AI score0.0021EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/06 8:53 p.m.5 views

CVE-2026-42341

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have an unauthenticated payment bypass vulnerability in FOSSBilling's IPN callback endpoint. When the Custom payment adapter is enabled, an attacker can mark any unpaid invoice as paid and credit...

9.2CVSS6AI score0.00184EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/07/06 8:53 p.m.16 views

CVE-2026-42341

FOSSBilling versions 0.6.0–0.7.2 contain an unauthenticated payment bypass in the IPN callback endpoint. When the Custom payment adapter is enabled, an attacker can mark any unpaid invoice as paid and credit the client account without a real payment by sending a crafted HTTP request. Version 0.8....

9.2CVSS6AI score0.00184EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/06 8:53 p.m.37 views

CVE-2026-42341 FOSSBilling has an unauthenticated payment bypass via IPN callback forgery

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have an unauthenticated payment bypass vulnerability in FOSSBilling's IPN callback endpoint. When the Custom payment adapter is enabled, an attacker can mark any unpaid invoice as paid and credit...

9.2CVSS0.00184EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/06/26 8:28 a.m.9 views

WordPress User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin <= 5.2.0 - Missing Authorization to Unauthenticated Payment Bypass vulnerability

Missing Authorization to Unauthenticated Payment Bypass vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin User Registration versions = 5.2.0...

6.5CVSS5.8AI score0.0018EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2026/04/16 9:6 a.m.9 views

WordPress Payment Gateway for Redsys & WooCommerce Lite plugin <= 7.0.0 - Improper Verification of Cryptographic Signature to Unauthenticated Payment Status Manipulation vulnerability

Improper Verification of Cryptographic Signature to Unauthenticated Payment Status Manipulation vulnerability discovered by Nguyen Ngoc Duc duc193 in WordPress Plugin Redsys for WooCommerce Light versions = 7.0.0...

7.5CVSS5.8AI score0.00206EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/04/16 5:29 a.m.47 views

CVE-2026-5050 Payment Gateway for Redsys & WooCommerce Lite <= 7.0.0 - Improper Verification of Cryptographic Signature to Unauthenticated Payment Status Manipulation

The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7.0.0 due to successfulrequest handlers calculating a local signature but not validating DsSignature from the request before...

7.5CVSS0.00206EPSS
Exploits0References2
Patchstack
Patchstack
added 2026/02/27 7:6 a.m.9 views

WordPress Fluent Forms Pro Add On Pack plugin <= 6.1.17 - Missing Authorization to Unauthenticated Payment Status modification vulnerability

Missing Authorization to Unauthenticated Payment Status modification vulnerability discovered by Prickly Cactus in WordPress Plugin Fluent Forms Pro Add On Pack versions = 6.1.17...

7.5CVSS5.3AI score0.00139EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/02/18 10:20 a.m.26 views

CVE-2025-14444

CVE-2025-14444 – RegistrationMagic for WordPress has a payment bypass vulnerability in the process_paypal_sdk_payment path. The issue arises from trusting client-supplied payment data without validating that PayPal payment actually completed, enabling unauthenticated users to activate registratio...

5.3CVSS5.7AI score0.00216EPSS
Exploits0References5
Patchstack
Patchstack
added 2026/02/18 12:47 a.m.14 views

WordPress RegistrationMagic - Custom Registration Forms, User Registration, Payment, and User Login plugin <= 6.0.6.9 - Unauthenticated Payment Bypass via rm_process_paypal_sdk_payment vulnerability

WordPress RegistrationMagic - Custom Registration Forms, User Registration, Payment, and User Login plugin = 6.0.6.9 - Unauthenticated Payment Bypass via rmprocesspaypalsdkpayment vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin RegistrationMagi...

5.3CVSS5.6AI score0.00216EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2026/02/15 9:13 p.m.6 views

WordPress SureForms - Drag and Drop Form Builder for WordPress plugin <= 2.2.1 - Unauthenticated Stripe Payment Amount Manipulation vulnerability

WordPress SureForms - Drag and Drop Form Builder for WordPress plugin = 2.2.1 - Unauthenticated Stripe Payment Amount Manipulation vulnerability discovered by andrea bocchetti in WordPress Plugin SureForms versions = 2.2.1...

5.5AI score
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/01/16 8:38 a.m.31 views

CVE-2025-14757 Cost Calculator Builder <= 3.6.9 - Missing Authorization to Unauthenticated Payment Status Bypass

The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the completepayment AJAX action being registered via wpajaxnopriv,...

5.3CVSS0.00327EPSS
Exploits0References4
Patchstack
Patchstack
added 2025/11/27 9:41 a.m.8 views

WordPress SKT PayPal for WooCommerce plugin <= 1.4 - Unauthenticated Payment Bypass vulnerability

Unauthenticated Payment Bypass vulnerability discovered by ch4r0n - FPT Software in WordPress Plugin SKT PayPal for WooCommerce versions = 1.4...

7.5CVSS7AI score0.0029EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2025/11/11 12:30 p.m.6 views

EUVD-2025-84360

The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment confirmation data in the...

5.3CVSS5.5AI score0.00318EPSS
Exploits0References3
NVD
NVD
added 2025/11/11 11:15 a.m.6 views

CVE-2025-12788

The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment confirmation data in the...

5.3CVSS0.00318EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/11/11 11:3 a.m.10 views

CVE-2025-12788 Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Missing Payment Verification to Unauthenticated Payment Bypass

The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment confirmation data in the...

5.3CVSS0.00318EPSS
Exploits0References2
Patchstack
Patchstack
added 2025/10/25 12:57 a.m.11 views

WordPress Tutor LMS plugin <= 3.8.3 - Missing Authorization to Unauthenticated Payment Status Update vulnerability

Missing Authorization to Unauthenticated Payment Status Update vulnerability discovered by Rafshanzani Suhada in WordPress Plugin Tutor LMS versions = 3.8.3...

5.3CVSS7AI score0.00266EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2024/06/06 3:53 a.m.39 views

CVE-2024-1175 WP-Recall – Registration, Profile, Commerce & More <= 16.26.6 - Unauthenticated Payment Deletion via delete_payment

The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'deletepayment' function in all versions up to, and including, 16.26.6. This makes it possible for unauthenticated attackers to delete...

5.3CVSS5.2AI score0.00393EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2024/06/06 3:53 a.m.27 views

CVE-2024-1175 WP-Recall – Registration, Profile, Commerce & More <= 16.26.6 - Unauthenticated Payment Deletion via delete_payment

The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'deletepayment' function in all versions up to, and including, 16.26.6. This makes it possible for unauthenticated attackers to delete...

5.3CVSS6.9AI score0.00393EPSS
Exploits0References3
Rows per page
Query Builder